Somerville College – current staff, office holders and senior members privacy notice

Privacy notice – current staff, office holders and senior members

 

A summary of what this notice explains

Somerville College is committed to protecting the privacy and security of personal data.

This notice explains what personal data Somerville College holds about current staff, office holders and senior members (“you”), how we use it internally, how we share it, how long we keep it and what your legal rights are in relation to it.  In addition to those employed by, or otherwise holding College positions, this notice should be read by the self-employed providers and other contractors engaged to provide services to the College.  Personal data relating to volunteers who assist with College fundraising, projects and events is also covered by this notice.

 

This notice does not form part of any contract of employment or other contract to provide services.

For the parts of your personal data that you supply to us to us, this notice also explains the basis on which you are required or requested to provide the information.  For the parts of your personal data that we generate about you, or that we receive from others, it explains the source of the data.

 

There are some instances where we process your personal data on the basis of your consent.  This notice sets out the categories and purposes of data where your consent is needed.

 

Somerville College has also published separate notices, which are applicable to other groups and activities.  Those notices may also apply to you, depending on your circumstances, and it is important that you read this privacy notice together with other applicable privacy notices:

  1. current students
  2. alumni and donors (including what financial information we hold about our alumni and how we use it when considering fundraising initiatives)
  3. archives (which explains what data we hold in our archive)
  4. security, maintenance and health and safety (including how we use CCTV)
  5. website and cookies (including how we monitor use of our website)
  6. IT systems (including how we monitor internet and email usage)

You can access past versions of our privacy notices via the Policies page of the College website.

What is your personal data and how does the law regulate our use of it?

“Personal data” is information relating to you as a living, identifiable individual.  We refer to this as “your data”.   Data protection law requires Somerville College (“us” or “we”), as data controller for your data:

  • To process your data in a lawful, fair and transparent way;
  • To only collect your data for explicit and legitimate purposes;
  • To only collect data that is relevant, and limited to the purpose(s) we have told you about;
  • To ensure that your data is accurate and up to date;
  • To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
  • To ensure that appropriate security measures are used to protect your data.

Somerville College’s Contact Details

If you need to contact us about your data, please contact dpo@some.ox.ac.uk

 

What personal data we hold about you and how we use it

We may hold and use a range of data about you at different stages of our relationship with you.  We might receive this data from you; we might create it ourselves, or we might receive it from someone else (for example if someone provides us with a reference about you).

 

Categories of data that we collect, store and use include (but are not limited to):

  • The contact details that you provide to us, including names, addresses and telephone numbers.
  • Your position, role, contract terms, grade, salary, benefits and entitlements.
  • Records about your recruitment, including your application paperwork, details of your qualifications, references (including names and contact details of referees), requests for special arrangements, communications regarding our decisions, and relevant committee and panel reports.
  • Details of any relevant criminal convictions or charges that we ask you to declare to us, either when you apply to us, or during your membership of the College. Relevant criminal convictions or charges are those that indicate you might pose an unacceptable risk to students or staff. Further, your role at the College may require that we conduct a Disclosure and Barring Service check, which will provide us with details of any relevant criminal convictions and/or cautions that you have received.
  • Copies of passports, right to work documents, visas and other immigration data.
  • Details of any medical issues and/or disabilities that you have notified to us, including any consideration and decision on reasonable adjustments made as a result.
  • Equality monitoring data.
  • Dietary requirements
  • Your financial details, including bank and building society account numbers, sort codes, BACS IDs, NI numbers, tax codes, payslips and similar data.
  • Pensions membership data, including identification numbers, quotes and projections, terms benefits and contributions.
  • Learning and development records, including your attendance, completions, accreditations and certifications.
  • Capability procedure records, including performance indicators, records of review meetings, feedback, decisions and outcomes.
  • Promotion and progression records, including applications, references and supporting materials, records of deliberations and decisions, feedback and awards.
  • Records regarding grievances, disciplinary proceedings or investigations prompted by, involving or relating to you.
  • Attendance and absence records, including leave requests, sickness records and related data.
  • Photographs, audio and video recording.
  • Computing and email information, including login information for our IT systems, IP address(es), equipment allocated to you and records of network access.
  • Biometric data, only as part of mandatory immigration records

Further categories of data that we hold in relation to current staff, office holders and senior members are set out in our Record of Processing Activity.

The lawful basis on which we process your data

The law requires that we provide you with information about the lawful basis on which we process your personal data, and for what purpose(s).

 

Most commonly, we will process your data on the following lawful grounds:

  • Where it is necessary to perform the contract we have entered into with you;
  • Where necessary to comply with a legal obligation;
  • Where it is necessary for the performance of a task in the public interest;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests.  In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent.

 

How we apply further protection in the case of “Special Categories” of personal data

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. The Special Categories of personal data consist of data revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership.

They also consist of the processing of:

  • genetic data;
  • biometric data for the purpose of uniquely identifying someone;
  • data concerning health;
  • data concerning someone’s sex life or sexual orientation.

We may process special categories of personal information in the following circumstances:

  • Where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Somerville College or you in connection with employment, social security or social protection; or
  • With your explicit written consent; or
  • Where it is necessary in the substantial public interest, in particular:
    • for the exercise of a function conferred on Somerville College or anyone else by an enactment or rule of law; or
    • for equal opportunities monitoring;
  • Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law.

We have in place appropriate policy documents and/or other safeguards which we are required by law to maintain when processing such data.

 

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

 

Criminal convictions and allegations of criminal activity

Further legal controls apply to data relating to criminal convictions and allegations of criminal activity.  We may process such data on the same grounds as those identified for “special categories” referred to above.

 

Details of our processing activities, including our lawful basis for processing

Details of the lawful bases we rely on for the processing of the categories of data that we hold in relation to current staff, office holders and senior members are set out in our Record of Processing Activity.  Details of retention periods, plus details of parties to whom we transfer data, and on what basis, are available here.

 

Data that you provide to us and the possible consequences of you not providing it

Most data that you provide to us is processed by us in order that we, and you, can each fulfil our contractual obligations and/or comply with obligations imposed by law.  For example:

  • Copies of your passport, right to work, and visa information will be collected by us at the time of your application to enable us to comply with UK Immigration and Visa requirements. We may also be required by law to retain that data, along with related information (such as your application paperwork, short-lists and selection committee papers) until a certain point after your employment with the College ends.
  • Financial data, including your account number and sort code, BACS ID, NI number, salary, tax codes and payments information are collected by us at the time of your appointment to enable us to pay you in accordance with the contract between us.
  • You have a contractual obligation to inform us of relevant conflicts of interest affecting your involvement in Somerville College management and decision-making. Failure to do so may undermine the reputation and integrity of the College, and may have legal implications.

The consequences for any failure to provide such data will depend on the particular circumstances.  For example, a failure to provide copies of your passport, right to work and visa information, may mean that we are unable to enter into, or continue, with your employment.  A failure to notify the College of relevant conflicts of interest may result in disciplinary proceedings being commenced.

 

Some data that you give to us is provided on a wholly voluntary basis – you have a choice whether to do so.  Examples include:

  • Equality monitoring data, which is requested by the College as part of the equality monitoring that we undertake pursuant to our legal obligations under the Equality Act 2010.
  • Disability and health condition information, which you may choose to provide to us in order that we can take this information into account when considering whether to make a reasonable adjustment.

Other sources of your data

Apart from the data that you provide to us, we may also process data about you from a range of sources.  These include:

  • Data that we generate about you, such as when processing your application, arranging payments, and/or in relation to accommodation provided by Somerville College
  • The University of Oxford, which operates a number of systems that Colleges have access to, including systems that allow Somerville College to access your [teaching allocation records and schedules];
  • Your previous educational establishments and/or employers if they provide references to us;
  • Fellow members of Somerville College family members, friends, visitors to Somerville College and other contacts who may provide us with information about you if and when they contact us, or vice versa.

Our Record of Processing Activity indicates the sources of each of the various categories of data that we process.

 

How we share your data

We do not, and will not, sell your data to third parties.  We will only share it with third parties if we are allowed or required to do so by law. Examples of bodies to whom we are required by law to disclose certain data include, but are not limited to:

 

Organisation Why?
Home Office;  UK Visas and Immigration To fulfil Somerville College’s obligations as a visa sponsor
Disclosure and Barring Service (DBS) Required for certain posts to assess an applicant’s suitability for positions of trust or where the post works with vulnerable people or children.  

 

The Higher Education Funding Council for England (HEFCE) Data submitted for the Research Excellence Framework (REF) which is a system for assessing the quality of research in higher education.
HM Revenues & Customs (HMRC) Real time information released to HM Revenue & Customs (HMRC) in order to collect Income Tax and National Insurance contributions (NICs) from employees.

 

Examples of bodies to whom we may voluntarily disclose data, in appropriate circumstances, include but are not limited to:

Organisation Why?
Other Colleges and/or PPH’s within the University of Oxford, University offices and/or departments Where a member is employed by or connected to both organisations, or are providing services in different parts of the collegiate university, we may need to share relevant data for the proper functioning of relevant contracts and services.
Agencies with responsibilities for the prevention and detection of crime, apprehension and prosecution of offenders, or collection of a tax or duty. For the prevention, detection or investigation of crime, for the location and/or apprehension of offenders, for the protection of the public, and/or to support the national interest.
Mortgage lender and letting agencies In order to allow these organisations to verify for mortgages and tenancy agreements.  Release of this information is subject to a written request being received from the employee.
Superannuation Schemes as used by the College In order to provide data required for the provision of pensions by these providers.
Higher Education Statistics Agency (HESA) Some information, usually in pseudonymised form, will be sent to the HESA for statistical analysis and to allow government agencies to carry out their statutory functions.
Occupational Health providers To enable the provision of these facilities.

 

Third party service providers To facilitate activities of Somerville College . Any transfer will be subject to an appropriate, formal agreement between Somerville College and the processor.

 

Where information is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.

 

All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies, and are only permitted to process your personal data for specific purposes in accordance with our instructions.  We do not allow our third party providers to use your personal data for their own purposes.

 

Sharing your data outside the European Union

The law provides various further safeguards where data is transferred outside of the EU.

When you are resident outside the EU in a country where there is no “adequacy decision” by the European Commission, and an alternative safeguard is not available, we may still transfer data to you which is necessary for performance of your contract with us .

 

Otherwise, we may transfer your data outside the European Union, but only for the purposes referred to in this notice and provided either:

  • There is a decision of the European Commission that the level of protection of personal data in the recipient country is adequate; or
  • Appropriate safeguards are in place to ensure that your data is treated in accordance with UK data protection law, for example through the use of standard contractual clauses; or
  • There is an applicable derogation in law which permits the transfer in the absence of an adequacy decision or an appropriate safeguard.

Automated decision-making

We do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.

 

How long we keep your data

We retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements.  Details of expected retention periods for the different categories of your personal information that we hold are set out in our Record of Processing Activity.

 

Retention periods may increase as a result of legislative changes, e.g. an increase in limitation periods for legal claims would mean that Somerville College is required to retain certain categories of personal data for longer.  Any such changes will be reflected in updated versions of our Record of Processing Activity.

 

If there are legal proceedings, a regulatory, disciplinary or criminal investigation, suspected criminal activity, or relevant requests under data protection or freedom of information legislation, it may be necessary for us to suspend the deletion of data until the proceedings, investigation or request have been fully disposed of. Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified from such data.

 

Your legal rights over your data

Subject to certain conditions and exception set out in UK data protection law, you have:

  • The right to request access to a copy of your data, as well as to be informed of various information about how your data is being used;
  • The right to have any inaccuracies in your data corrected, which may include the right to have any incomplete data completed;
  • The right to have your personal data erased in certain circumstances;
  • The right to have the processing of your data suspended, for example if you want us to establish the accuracy of the data we are processing.
  • The right to receive a copy of data you have provided to us, and have that transmitted to another data controller (for example, another University or College).
  • The right to object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.
  • The right to object to the processing of your information if we are relying on a “legitimate interest” for the processing or where the processing is necessary for the performance of a task carried out in the public interest. The lawful basis for any particular processing activity we carry out is set out in our detailed table of processing activities.
  • The right to object to any automated decision-making about you which produces legal effects or otherwise significantly affects you.
  • Where the lawful basis for processing your data is consent, you have the right to withdraw your consent at any time. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent.  You may withdraw your consent by contacting the Somerville College Data Protection Officer at dpo@some.ox.ac.uk

If you wish to exercise any of your rights in relation to your data as processed by Somerville College please contact our Data Protection Officer at dpo@some.ox.ac.uk Some of your rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them. Further guidance on your rights is available from the Information Commissioner’s Office (https://.ico.org.uk/).  You have the right to complain to the UK’s supervisory office for data protection, the Information Commissioner’s Office at https://ico.org.uk/concerns/ if you believe that your data has been processed unlawfully.

 

Future changes to this privacy notice

We may need to update this notice from time to time, for example if the law or regulatory requirements change, if technology changes or to make the Somerville College or University’s operations and procedures more efficient.  If the change is material, we will give you not less than two months’ notice of the change so that you can exercise your rights, if appropriate, before the change comes into effect.  We will notify you of the change by updates to the College’s public website.

 

Version control: V.1.1 (May 2018)